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DETAILED ACTION 

1. This action is in response to application 10/774,169 filed 4/11/07. Claims 1, 4- 
26, 28-35, 38-60, 62-69, 72-94, 96-108 represent method, apparatus, and computer 
readable medium for detecting and protecting against worm traffic on a network. 

2. In view of the pre-appeal conference filed on 4/1 1/07, PROSECUTION IS 
HEREBY REOPENED, new ground of rejection are set forth below. 

To avoid abandonment of the application, appellant must exercise one of the 
following two options: 

(1 ) file a reply under 37 CFR 1 . 1 1 1 (if this Office action is non-final) or a reply 
under 37 CFR 1.113 (if this Office action is final); or, 

(2) initiate a new appeal by filing a notice of appeal under 37 CFR 41 .31 followed 
by an appeal brief under 37 CFR 41 .37. The previously paid notice of appeal fee and 
appeal brief fee can be applied to the new appeal. If, however, the appeal feies set forth 
in 37 CFR 41.20 have been increased since they were previously paid, then appellant 
must pay the difference between the increased fees and the amount previously paid. 

A Supervisory Patent Examiner (SPE) has approved of reopening prosecution by 
signing below: 
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Claim Rejections - 35 USC § 103 

3. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

4. Claims 1, 4-11, 21-22, 25-26, 28-35, 38-45, 55-56, 59-60, 62-69, 72-79, 89-90, 
93-94, 96-103, 105 & 107 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over Lyle, Patent No. 6,886,102 B1 in view of Givoly, Patent No. 7,099,940 B2. 

Lyle teaches the invention as claimed including system and method for protecting 
a computer network against denial of service attacks (see abstract). 

5. As to claim 1 , Lyle teaches a method for processing communication traffic, 
comprising: 

monitoring the communication traffic that is directed to the addresses in the 
subset (col 5, lines 12-17; Lyle discloses that the method of monitoring the network 
connection to send and receive information via the network and other computers); 

determining respective baseline characteristics of the communication traffic that 
is directed to each of the addresses in the subset (col 8, lines 14-20; Lyle discloses that 
the method of determined the baseline incident rate and the variance used for all 
networks); 

detecting a deviation from the respective baseline characteristics of the 
communication traffic directed to at least one of the addresses in the group, wherein the 
deviation is indicative that at least a portion of the communication traffic is of potentially 
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malicious origin (col 10, lines 28-34; Lyle discloses that the method of detecting the 
network traffic for the suspicious high volume of network traffic and particular portion of 
the attacked). 

But Lyle failed to teach the claim limitation wherein Identifying a subset of the 
group of the addresses such that the addresses in the subset are expected to receive 
smaller amounts of the communication traffic than other addresses in the group; 
responsively to detecting the deviation, filtering the communication traffic that is directed 
to all of the addresses in the group so as to remove at least some of the communication 
traffic that is of the malicious origin. 

However, Givoly teaches system, method and computer program product for 
processing network accounting information (see abstract). Givoly teaches the limitation 
wherein Identifying a subset of the group of the addresses such that the addresses in 
the subset are expected to receive smaller amounts of the communication traffic than 
other addresses in the group (col 7, lines 22-24); responsively to detecting the 
deviation, filtering the communication traffic that is directed to all of the addresses in the 
group so as to remove at least some of the communication traffic that is of the malicious 
origin (col 7, lines 18-21). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify Lyle in view of Givoly so that the system would be able to identify 
the unwanted information surges which occur as a result of situations other than 
network attacks. One would be motivated to do so to identifying the accts condition and 
discarded and aggregated portion of the information once detected the attack. 
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6. As to claim 4, Lyle and Givoly teach the method as recited in claim 1 , wherein the 
baseline characteristics comprise a distribution of communication protocols used in 
generating the communication traffic (col 10, lines 19-28; Lyle discloses that the method 
of tracking the communication traffic using the sniffer module). 

7. As to claim 5, Lyle and Givoly teach the method as recited in claim 1, wherein the 
baseline characteristics comprise a distribution of ports to which the communication 
traffic is directed (col 14, lines 38-42; Lyle discloses that the method of tracking the 
source of the attack to determined the point of the attack at which the attack is entering 
the network or sub-network). 

8. As to claim 6, Lyle and Givoly teach the method as recited in claim 1, wherein the 
baseline characteristics comprise a distribution of source addresses of the 
communication traffic (col 14, lines 13-19; Lyle discloses that the method of 
characteristics of the incident, such as the source address, target address, and 
preceding characteristics). 

9. As to claim 7, Lyle and Givoly teach the method as recited in claim 1, wherein the 
baseline characteristics comprise a distribution of sizes of data packets sent to the 
addresses in the group (col 10, lines 44-53; Lyle discloses that the method of detecting 
the particular port for receiving an usually high number of data packets of any type, the 
sniffer module would identified as the possible attack). 

10. As to claim 8, Lyle and Givoly teach the method as recited in claim 1, wherein the 
baseline characteristics are indicative of a distribution of operating systems running on 
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computers that have transmitted the communication traffic (col 21, lines 32-49; Lyle 
discloses that the method of determined the system of receiving and sending packets). 

11. As to claim 9, Lyle and Givoly teach the method as recited in claim 8, wherein 
detecting the deviation comprises reading a Time-To-Live (TTL) field in Internet Protocol 
headers of data packets sent to the addresses in the group, and detecting a change in 
values of the TTL field relative to the baseline characteristics (col 1 1 , lines 26-38). 

12. As to claim 10, Lyle and Givoly teach the method as recited in claim 1 , wherein 
detecting the deviation comprises detecting events that are indicative of a failure in 
communication between a first computer at one of the addresses in the group and a 
second computer at another location in the network (col 6, lines 61 - col 7, lines 15; 
Lyle discloses that the method of tracking the location of the core routers and any 
associated network element and blocking the potential attack). 

13. As to claim 1 1 , Lyle and Givoly teach the method as recited in claim 10, wherein 
detecting the events comprises detecting failures to establish a Transmission Control 
Protocol (TCP) connection (col 22, lines 25-43). 

14. As to claim 21, Lyle and Givoly teach the method as recited in claim 1, wherein 
detecting the deviation comprises detecting a type of the communication traffic that 
appears to be of the malicious origin, and wherein monitoring the communication traffic 
comprises collecting specific information relating to the traffic of the detected type (col 4, 
lines 55-68; Lyle discloses that the method of monitoring the security of the computer 
network such as suspicious, malicious or virus packets). 
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15. As to claim 22, Lyle and Givoly teach the method as recited in claim 21 , wherein 
collecting the specific information comprises determining one or more source addresses 
of the traffic of the detected type (col 10, lines 38-43; Lyle discloses that the method of 
listing the list of suspicious source addresses). 

16. As to claim 25, Lyle teaches a method for processing communication traffic, 
comprising: 

monitoring the communication traffic originating from a group of addresses and 
passing through a selected node on a network (col 12, lines 44-53; Lyle discloses that 
the method of monitoring the communication traffic of the network for sending and 
receiving packets); 

tracing a route of the traffic from the selected node back to the at least one of the 
addresses so as to identify a location of the computer on which the malicious program is 
running (col 6, lines 15-23; Lyle discloses that the method of tracking system of the 
protected area for the network elements). 

But Lyle failed to teach the claim limitation wherein detecting a pattern in the 
traffic originating from at least one of the addresses that is indicative of a malicious 
program running on a computer at the at least one of the addresses by determining that 
the computer has transmitted packets to a large number of different destination 
addresses. 

However, Givoly teaches the limitation wherein detecting a pattern in the traffic 
originating from at least one of the addresses that is indicative of a malicious program 
running on a computer at the at least one of the addresses by determining that the 
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computer has transmitted packets to a large number of different destination addresses 
(col 5, lines 33-40; 48-54). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify Lyle in view of Givoly so that the system would be able to recognize 
the pattern of the network attack. One would be motivated to do so to prevent the 
attack of the network. 

17. As to claim 26, Lyle and Givoly teach the method as recited in claim 25, wherein 
tracing the route comprises identifying a port of a switch on the network to which the 
computer is connected, and comprising disabling the identified port (col 16, lines 54 - 
col 17, lines 13; Lyle discloses that the method of tracking the port at which the attack 
was detected to identified the port at which the node through which packets or message 
associated with the attack entering that node). 

18. As to claim 28, Lyle and Givoly teach the method as recited in claim 25, wherein 
detecting the pattern comprises detecting a large number of packets transmitted by the 
computer to a specified port (col 12, lines 63 - col 13, lines 8; Lyle discloses that the 
method of detecting when the massive numbers of copies of a suspicious but relatively 
innocuous message in the hope of overloading the security system). 

19. As to claim 29, Lyle teaches a method for processing communication traffic, 
comprising: 

monitoring the communication traffic on a network so as to detect packets that 
are indicative of a communication failure in the network that is characteristic of a worm 
infection (col 10, lines 53-59; Lyle discloses that the method of monitoring the network 



Application/Control Number: 10/774,169 Page 9 

Art Unit: 2155 

traffic for the suspicious in the sense that it indicates that an attack may be taking, 
place); 

detecting an increase in a rate of arrival of the packets that are indicative of the 
communication failure (col 1 0, lines 60 - col 1 1 , lines 1 ; Lyle discloses that the method 
of determined if the rate of certain types of messages exceeds a normal level). 

But Lyle failed to teach the claim limitation wherein responsively to the increase, 
filtering the communication traffic so as to remove at least a portion of the 
communication traffic that is generated by the worm infection. 

However, Givoly teaches the limitation wherein responsively to the increase, 
filtering the communication traffic so as to remove at least a portion of the 
communication traffic that is generated by the worm infection (col 6, lines 45-48; col 7, 
lines 18-21). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify Lyle in view of Givoly so that the system would be able to discard 
and aggregated portion of information. One would be motivated to do so to prevent the 

overload and infection for the network. 

« 

20. As to claim 30, Lyle and Givoly teach the method as recited in claim 29, wherein 
monitoring the communication traffic comprises detecting Internet Control Message 
Protocol (ICMP) unreachable packets (col 9, lines 7-37). 

21 . As to claim 31 , Lyle and Givoly teach the method as recited in claim 29, wherein 
monitoring the communication traffic comprises detecting failures to establish a 
Transmission Control Protocol (TCP) connection (col 22, lines 25-43). 
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22. As to claim 32, Lyle teaches a method for processing communication traffic, 
comprising: 

monitoring the communication traffic on a network so as to detect ill-formed 
packets (col 7, lines 9-19; Lyle discloses that the method of scanning the network for 
the suspicious data within the tracking system); 

making a determination, responsively to the ill-formed packets, that at least a 
portion of the communication traffic has been generated by a worm infection (col 8, lines 
26-39; Lyle discloses that the method of determined the alert module for the potential 
attack. 

But Lyle failed to teach the claim limitation wherein responsively to the 
determination, filtering the communication traffic so as to remove at least the portion of 
the communication traffic that is generated by the worm infection. 

However, Givoly teaches the limitation wherein responsively to the determination, 
filtering the communication traffic so as to remove at least the portion of the 
communication traffic that is generated by the worm infection (col 6, lines 45-48; col 7, 
lines 18-21). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify Lyle in view of Givoly so that the system would be able to discard 
and aggregated portion of information. One would be motivated to do so to prevent the 
overload and infection for the network. 

23. As to claim 33, Lyle and Givoly teach the method as recited in claim 32, wherein 
the packets comprise a header specifying a communication protocol, and wherein 
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monitoring the communication traffic comprises determining that the packets contain 
data that are incompatible with the specified communication protocol (col 1 1 , lines 61 - 
col 12, lines 19; Lyle discloses that the method of determined the incompatible packet 
by measure the numerical order of the packet). 

24. As to claim 34, Lyle and Givoly teach the method as recited in claim 32, wherein 
the packets comprise a header specifying a packet length, and wherein monitoring the 
communication traffic comprises determining that the packets contain an amount of data 
that is incompatible with the specified packet length (col 18, lines 48-59; Lyle discloses 
that the method of suspicious packet by its bits). 

25. As to claim 35, Lyle teaches an apparatus comprising a guard device, which is 
adapted to 

monitor the communication traffic that is directed to a group of addresses in the 
subset (col 5, lines 12-17; Lyle discloses that the apparatus of monitoring the network 
connection to send and receive information via the network and other computers), 

to determine respective baseline characteristics of the communication traffic that 
is directed to each of the addresses in the subset (col 8, lines 14-20; Lyle discloses that 
the apparatus of determined the baseline incident rate and the variance used for all 
networks), 

to detect a deviation from the respective baseline characteristics of the 
communication traffic directed to at least one of the addresses in the subset, wherein 
the deviation is indicative that at least a portion of the communication traffic is of 
potentially malicious origin (col 10, lines 28-34; Lyle discloses that the apparatus of 
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detecting the network traffic for the suspicious high volume of network traffic and 
particular portion of the attacked). 

But Lyle failed to teach the claim limitation wherein identify a selected subset of 
the group of the addresses such that the addresses in the subset are expected to 
receive smaller amounts of the communication traffic than other addresses in the group; 
responsively to detecting the deviation, to filter the communication traffic that is directed 
to all of the addresses in the group so as to remove at least some of the communication 
traffic that is of the malicious origin. 

However, Givoly teaches the limitation wherein identify a selected subset of the 
group of the addresses such that the addresses in the subset are expected to receive 
smaller amounts of the communication traffic than other addresses in the group (col 7, 
lines 22-24); responsively to detecting the deviation, to filter the communication traffic 
that is directed to all of the addresses in the group so as to remove at least some of the 
communication traffic that is of the malicious origin (col 7, lines 18-21). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify Lyle in view of Givoly so that the system would be able to identify 
the unwanted information surges which occur as a result of situations other than 
network attacks. One would be motivated to do so to identifying the accts condition and 
discarded and aggregated portion of the information once detected the attack. 
26. As to claim 38, Lyle and Givoly teach the apparatus as recited in claim 35, 
wherein the baseline characteristics comprise a distribution of communication protocols 
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used in generating the communication traffic (col 10, lines 19-28; Lyle discloses that the 
apparatus of tracking the communication traffic using the sniffer module). 

27. As to claim 39, Lyle and Givoly teach the apparatus as recited in claim 35, 
wherein the baseline characteristics comprise a distribution of ports to which the 
communication traffic is directed (col 14, lines 38-42; Lyle discloses that the apparatus . 
of tracking the source of the attack to determined the point of the attack at which the 
attack is entering the network or sub-network). 

28. As to claim 40, Lyle and Givoly teach the apparatus as recited in claim 35, 
wherein the baseline characteristics comprise a distribution of source addresses of the 
communication traffic (col 14, lines 13-19; Lyle discloses that the apparatus of 
characteristics of the incident, such as the source address, target address, and 
preceding characteristics). 

29. As to claim 41 , Lyle and Givoly teach the apparatus as recited in claim 35, 
wherein the baseline characteristics comprise a distribution of sizes of data packets 
sent to the addresses in the group (col 10, lines 44-53; Lyle discloses that the apparatus 
of detecting the particular port for receiving an usually high number of data packets of 
any type, the sniffer module would identified as the possible attack). 

30. As to claim 42, Lyle and Givoly teach the apparatus as recited in claim 35, 
wherein the baseline characteristics are indicative of a distribution of operating systems 
running on computers that have transmitted the communication traffic (col 21, lines 32- 
49; Lyle discloses that the apparatus of determined the system of receiving and sending 
packets). 
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31 . As to claim 43, Lyle and Givoly teach the apparatus as recited in claim 42, 
wherein the guard device is adapted to read a Time-To-Live (TTL) field in Internet 
Protocol headers of data packets sent to the addresses in the group, and to detect a 
change in values of the TTL field relative to the baseline characteristics due to the 
distribution of the operating systems (col 1 1 , lines 26-38). 

32. As to claim 44, Lyle and Givoly teach the apparatus as recited in claim 35, 
wherein the guard device is adapted to detect events that are indicative of a failure in 
communication between a first computer at one of the addresses in the group and a 
second computer at another location in the network (col 6, lines 61 - col 7, lines 15; 
Lyle discloses that the apparatus of tracking the location of the core routers and any 
associated network element and blocking the potential attack). 

33. As to claim 45, Lyle and Givoly teach the apparatus as recited in claim 44, 
wherein the events comprise failures to establish a Transmission Control Protocol 
(TCP) connection (col 22, lines 25-43). 

34. As to claim 55, Lyle and Givoly teach the apparatus as recited in claim 35, 
wherein the guard device is adapted to detect a type of the communication traffic that 
appears to be of the malicious origin, and to monitor the communication traffic so as to 
collect specific information relating to the traffic of the detected type (col 4, lines 55-68; 
Lyle discloses that the apparatus of monitoring the security of the computer network 
such as suspicious, malicious or virus packets). 

35. As to claim 56, Lyle and Givoly teach the apparatus as recited in claim 55, 
wherein the specific information comprises one or more source addresses of the traffic 
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of the detected type (col 10, lines 38-43; Lyle discloses that the apparatus of listing the 
list of suspicious source addresses). 

36. As to claim 59, Lyle teaches an apparatus comprising: 

monitor the communication traffic originating from a group of addresses and 
passing through a selected node on a network (col 12, lines 44-53; Lyle discloses that 
the apparatus of monitoring the communication traffic of the network for sending and 
receiving packets), 

to trace a route of the traffic from the selected node back to the at least one of 
the addresses so as to identify a location of the computer on which the malicious 
program is running (col 6, lines 15-23; Lyle discloses that the apparatus of tracking 
system of the protected area for the network elements). 

But Lyle failed to teach the claim limitation wherein to detect a pattern in the 
traffic originating from at least one of the addresses that is indicative of a malicious 
program running on a computer at the at least one of the addresses by determining that 
the computer has transmitted packets to a large number of different destination 
addresses. 

However, Givoly teaches the limitation wherein to detect a pattern in the traffic 
originating from at least one of the addresses that is indicative of a malicious program 
running on a computer at the at least one of the addresses by determining that the 
computer has transmitted packets to a large number of different destination addresses 
(col 5, lines 33-40; 48-54). 
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It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify Lyle in view of Givoly so that the system would be able to recognize 
the pattern of the network attack. One would be motivated to do so to prevent the 
attack of the network. 

37. As to claim 60, Lyle and Givoly teach the apparatus as recited in claim 59, 
wherein the guard device is adapted to identify a port of a switch on the network to 
which the computer is connected, and to instruct the switch to disable the identified port 
(col 16, lines 54 - col 17, lines 13; Lyle discloses that the apparatus of tracking the port 
at which the attack was detected to identified the port at which the node through which 
packets or message associated with the attack entering that node). 

38. As to claim 62, Lyle and Givoly teach the apparatus as recited in claim 59, 
wherein the guard device is adapted to detect the pattern by detecting a large number 
of packets transmitted by the computer to a specified port (col 12, lines 63 - col 13, 
lines 8; Lyle discloses that the apparatus of detecting when the massive numbers of 
copies of a suspicious but relatively innocuous message in the hope of overloading the 
security system). 

39. As to claim 63, Lyle teaches an apparatus comprising: 

monitor the communication traffic on a network so as to detect packets that are 
indicative of a communication failure in the network that is characteristic of a worm 
infection (col 10, lines 53-59; Lyle discloses that the apparatus of monitoring the 
network traffic for the suspicious in the sense that it indicates that an attack may be 
taking place), 
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to detect an increase in a rate of arrival of the packets that are indicative of the 
communication failure (col 1 0, lines 60 - col 1 1 , lines 1 ; Lyle discloses that the 
apparatus of determined if the rate of certain types of messages exceeds a normal 
level), and 

But Lyle failed to teach the claim limitation wherein responsively to the increase, 
to filter the communication traffic so as to remove at least a portion of the 
communication traffic that is generated by the worm infection. 

However, Givoly teaches the limitation wherein responsively to the increase, to 
filter the communication traffic so as to remove at least a portion of the communication 
traffic that is generated by the worm infection (col 6, lines 45-48; col 7, lines 18-21). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify Lyle in view of Givoly so that the system would be able to discard 
and aggregated portion of information. One would be motivated to do so to prevent the 
overload and infection for the network. 

40. As to claim 64, Lyle and Givoly teach the apparatus as recited in claim 63, 
wherein the guard device is adapted to detect Internet Control Message Protocol 
(ICMP) unreachable packets as an indication of the communication failure (col 9, lines 
7-37). 

41 . As to claim 65, Lyle and Givoly teach the apparatus as recited in claim 63, 
wherein the guard device is adapted to detect failures to establish a Transmission 
Control Protocol (TCP) connection (col 22, lines 25-43). 
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42. As to claim 66, Lyle teaches an apparatus comprising a guard device, which is 
adapted: 

to monitor the communication traffic on a network so as to detect ill-formed 
packets (col 7, lines 9-19; Lyle discloses that the apparatus of scanning the network for 
the suspicious data within the tracking system), 

to make a determination, responsively to the ill-formed packets, that at least a 
portion of the communication traffic has been generated by a worm infection (col 8, lines 
26-39; Lyle discloses that the apparatus of determined the alert module for the potential 
attack). 

But Lyle failed to teach the claim limitation wherein responsively to the 
determination, to filter the communication traffic so as to remove the at least the portion 
of the communication traffic that is generated by the worm infection. 

However, Givoly teaches the limitation wherein responsively to the determination, 
to filter the communication traffic so as to remove the at least the portion of the 
communication traffic that is generated by the worm infection (col 6, lines 45-48; col 7, 
lines 18-21). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify Lyle in view of Givoly so that the system would be able to discard 
and aggregated portion of information. One would be motivated to do so to prevent the 
overload and infection for the network. 

43. As to claim 67, Lyle and Givoly teach the apparatus as recited in claim 66, 
wherein the packets comprise a header specifying a communication protocol, and 
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wherein the guard device is adapted to detect that the packets contain data that are 
incompatible with the specified communication protocol (col 11, lines 61 - col 12, lines 
19; Lyle discloses that the apparatus of determined the incompatible packet by measure 
the numerical order of the packet). 

44. As to claim 68, Lyle and Givoly teach the apparatus as recited in claim 66, 
wherein the packets comprise a header specifying a packet length, and wherein the 
guard device is adapted to detect that the packets contain an amount of data that is 
incompatible with the specified packet length (col 18, lines 48-59; Lyle discloses that the 
apparatus of suspicious packet by its bits). 

45. As to claim 69, Lyle teaches a computer software product, comprising: 

a computer-readable medium in which program instructions are stored, which 
instructions, when read by a computer, cause the computer to monitor communication 
traffic that is directed the addresses in the subset (col 5, lines 12-17; Lyle discloses that 
the product of monitoring the network connection to send and receive information via 
the network and other computers), 

to determine respective baseline characteristics of the communication traffic that 
is directed to each of the addresses in the subset (col 8, lines 14-20; Lyle discloses that 
the product of determined the baseline incident rate and the variance used for all 
networks), 

to detect a deviation from the respective baseline characteristics of the 
communication traffic directed to at least one of the addresses in the subset, wherein 
the deviation is indicative that at least a portion of the communication traffic is of 
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potentially malicious origin (col 10, lines 28-34; Lyle discloses that the product of 
detecting the network traffic for the suspicious high volume of network traffic and 
particular portion of the attacked). 

But Lyle failed to teach the claim limitation wherein to identify a selected subset 
of the group of the addresses such that the addresses in the subset are expected to 
receive smaller amounts of the communication traffic than other addresses in the group, 
responsively to detecting the deviation, to filter the communication traffic that is directed 
to all of the addresses in the group so as to remove at least some of the communication 
traffic that is of the malicious origin. 

However, Givoly teaches the limitation wherein to identify a selected subset of 
the group of the addresses such that the addresses in the subset are expected to 
receive smaller amounts of the communication traffic than other addresses in the group 
(col 7, lines 22-24), responsively to detecting the deviation, to filter the communication 
traffic that is directed to all of the addresses in the group so as to remove at least some 
of the communication traffic that is of the malicious origin (col 7, lines 1 8-21 ). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify Lyle in view- of Givoly so that the system would be able to identify 
the unwanted information surges which occur as a result of situations other than 
network attacks. One would be motivated to do so to identifying the accts condition and 
discarded and aggregated portion of the information once detected the attack. 
46. As to claim 72, Lyle and Givoly teach the product as recited in claim 69, wherein 
the baseline characteristics comprise a distribution of communication protocols used in 
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generating the communication traffic (col 10, lines 19-28; Lyle discloses that the product 
of tracking the communication traffic using the sniffer module). 

47. As to claim 73, Lyle and Givoly teach the product as recited in claim 69, wherein 
the baseline characteristics comprise a distribution of ports to which the communication 
traffic is directed (col .14, lines 38-42; Lyle discloses that the product of tracking the 
source of the attack to determined the point of the attack at which the attack is entering 
the network or sub-network). 

48. As to claim 74, Lyle and Givoly teach the product as recited in claim 69, wherein 
the baseline characteristics comprise a distribution of source addresses of the 
communication traffic (col 14, lines 13-19; Lyle discloses that the product of 
characteristics of the incident, such as the source address, target address, and 
preceding characteristics). 

49. As to claim 75, Lyle and Givoly teach the product as recited in claim 69, wherein 
the baseline characteristics comprise a distribution of sizes of data packets sent to the 
addresses in the group (col 10, lines 44-53; Lyle discloses that the product of detecting 
the particular port for receiving an usually high number of data packets of any type, the 
sniffer module would identified as the possible attack). 

50. As to claim 76, Lyle and Givoly teach the product as recited in claim 69, wherein 
the baseline characteristics are indicative of a distribution of operating systems running 
on computers that have transmitted the communication traffic (col 21, lines 32-49; Lyle 
discloses that the product of determined the system of receiving and sending packets). 
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51. As to claim 77, Lyle and Givoly teach the product as recited in claim 76, wherein 
instructions cause the computer to read a Time-To-Live (TTL) field in Internet Protocol 
headers of data packets sent to the addresses in the group, and to detect a change in 
values of the TTL field relative to the baseline characteristics due to the distribution of 
the operating systems (col 11, lines 26-38). 

52. As to claim 78, Lyle and Givoly teach the product as recited in claim 69, wherein 
the instructions cause the computer to detect events that are indicative of a failure in 
communication between a first computer at one of the addresses in the group and a 
second computer at another location in the network (col 6, lines 61 - col 7, lines 15 ; 
Lyle discloses that the product of tracking the location of the core routers and any 
associated network element and blocking the potential attack). 

53. As to claim 79, Lyle and Givoly teach the product as recited in claim 78, wherein 
the events comprise failures to establish a Transmission Control Protocol (TCP) 
connection (col 22, lines 25-43). 

54. As to claim 89, Lyle and Givoly teach the product as recited in claim 69, wherein 
the instructions cause the computer to detect a type of the communication traffic that 
appears to be of the malicious origin, and to monitor the communication traffic so as to 
collect specific information relating to the traffic of the detected type (col 4, lines 55-68; 
Lyle discloses that the product of monitoring the security of the computer network such 
as suspicious, malicious or virus packets). 

55. As to claim 90, Lyle and Givoly teach the product as recited in claim 89, wherein 
the specific information comprises one or more source addresses of the traffic of the 
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detected type (col 10, lines 38-43; Lyle discloses that the product of listing the list of 
suspicious source addresses). 

56. As to claim 93, Lyle teaches a computer software product, comprising: 

a computer-readable medium in which program instructions are stored, which 
instructions, when read by a computer, cause the computer to monitor the 
communication traffic originating from a group of addresses and passing through a 
selected node on a network (col 12, lines 44-53; Lyle discloses that the product of 
monitoring the communication traffic of the network for sending and receiving packets), 

to trace a route of the traffic from the selected node back to the at least one of 
the addresses so as to identify a location of the computer on which the malicious 
program is running (col 6, lines 15-23; Lyle discloses that the product of tracking system 
of the protected area for the network elements). 

But Lyle failed to teach the claim limitation wherein to detect a pattern in the 
traffic originating from at least one of the addresses that is indicative of a malicious 
program running on a computer at the at least one of the addresses by determining that 
the computer has transmitted packets to a large number of different destination 
addresses. 

However, Givoly teaches the limitation wherein to detect a pattern in the traffic 
originating from at least one of the addresses that is indicative of a malicious program 
running on a computer at the at least one of the addresses by determining that the 
computer has transmitted packets to a large number of different destination addresses 
(col 5, lines 33-40; 48-54). 
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It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify Lyle in view of Givoly so that the system would be able to recognize 
the pattern of the network attack. One would be motivated to do so to prevent the 
attack of the network. 

57. As to claim 94, Lyle and Givoly teach the product as recited in claim 93, wherein 
the instructions cause the computer to identify a port of a switch on the network to which 
the computer is connected, and to instruct the switch to disable the identified port (col 

1 6, lines 54 - col 1 7, lines 13; Lyle discloses that the product of tracking the port at 
which the attack was detected to identified the port at which the node through which 
packets or message associated with the attack entering that node). 

58. As to claim 96, Lyle and Givoly teach the product as recited in claim 93, wherein 
the instructions cause the computer to detect the pattern by detecting a large number of 
packets transmitted by the computer to a specified port (col 12, lines 63 - col 13, lines 
8; Lyle discloses that the product of detecting when the massive numbers of copies of a 
suspicious but relatively innocuous message in the hope of overloading the security 
system). 

59. As to claim 97, Lyle teaches a computer software product, comprising: 

a computer-readable medium in which program instructions are stored, which 
instructions, when read by a computer, cause the computer to monitor the 
communication traffic on a network so as to detect packets that are indicative of a 
communication failure in the network that is characteristic of a worm infection (col 10, 
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lines 53-59; Lyle discloses that the product of monitoring the network traffic for the 
suspicious in the sense that it indicates that an attack may be taking place), 

to detect an increase in a rate of arrival of the packets that are indicative of the 
communication failure (col 10, lines 60 - col 11, lines 1; Lyle discloses that the product 
of determined if the rate of certain types of messages exceeds a normal level). 

But Lyle failed to teach the claim limitation wherein responsively to the increase, 
to filter the communication traffic so as to remove at least a portion of the 
communication traffic that is generated by the worm infection. 

However, Givoly teaches the limitation wherein responsively to the increase, to 
filter the communication traffic so as to remove at least a portion of the communication 
traffic that is generated by the worm infection (col 6, lines 45-48; col 7, lines 18-21). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify Lyle in view of Givoly so that the system would be able to discard 
and aggregated portion of information. One would be motivated to do so to prevent the 
overload and infection for the network. 

60. As to claim 98, Lyle and Givoly teach the product as recited in claim 97, wherein 
the instructions cause the computer to detect Internet Control Message Protocol (ICMP) 
unreachable packets as an indication of the communication failure (col 9, lines 7-37). 

61 . As to claim 99, Lyle and Givoly teach the product as recited in claim 97, wherein 
the instructions cause the computer to detect failures to establish a Transmission 
Control Protocol (TCP) connection (col 22, lines 25-43). 

62. As to claim 1 00, Lyle teaches a computer software product, comprising: 
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a computer-readable medium in which program instructions are stored, which 
instructions, when read by a computer, cause the computer to monitor the 
communication traffic on a network so as to detect ill-formed packets (col 7, lines 9-19; 
Lyle discloses that the product of scanning the network for the suspicious data within 
the tracking system), 

to make a determination, responsively to the ill-formed packets, that at least a 
portion of the communication traffic has been generated by a worm infection (col 8, lines 
26-39; Lyle discloses that the product of determined the alert module for the potential 
attack). 

But Lyle failed to teach the claim limitation wherein responsively to the 
determination, to filter the communication traffic so as to remove the at least the portion 
of the communication traffic that is generated by the worm infection. 

However, Givoly teaches the limitation wherein responsively to the determination, 
to filter the communication traffic so as to remove the at least the portion of the 
communication traffic that is generated by the worm infection (col 6, lines 45-48; col 7, 
lines 18-21). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify Lyle in view of Givoly so that the system would be able to discard 
and aggregated portion of information. One would be motivated to do so to prevent the 
overload and infection for the network. 

63. As to claim 101 , Lyle and Givoly teach the product as recited in claim 100, 
wherein the packets comprise a header specifying a communication protocol, and 
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wherein the instructions cause the computer to detect that the packets contain data that 
are incompatible with the specified communication protocol (col 11, lines 61 - col 12, 
lines 19; Lyle discloses that the product of determined the incompatible packet by 
measure the numerical order of the packet). 

64. As to claim 102, Lyle and Givoly teach the product as recited in claim 100, 
wherein the packets comprise a header specifying a packet length, and wherein the 
instructions cause the computer to detect that the packets contain an amount of data 
that is incompatible with the specified packet length (col 18, lines 48-59; Lyle discloses 
that the product of suspicious packet by its bits). 

65. As to claim 103, Lyle and Givoly teach the method as recited in claim 1 , wherein 
identifying the subset comprising selecting clients for inclusion in the subset wile 
excluding servers (figure 1; Lyle teaches the method of including the users in the subset 
for the edge router). 

66. As to claim 105, Lyle and Givoly teach the apparatus as recited in claim 35, 
wherein the subset includes clients while excluding servers (figure 1 ; Lyle teaches the 
apparatus of including the users in the subset for the edge router). 

67. As to claim 107, Lyle and Givoly teach the product as recited in claim 69, wherein 
the subset includes clients while excluding servers (figure 1; Lyle teaches the product of 
including the users in the subset for the edge router). 
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68. Claims 12-13, 46-47, and 80-81 are rejected under 35 U.S,C. 103(a) as being 
unpatentable over Lyle, Patent No. 6,886,102 B1 in view of Givoly, Patent No. 
7,099,940 B2, and further in view of Porras, Patent No. 6,321 ,338 B1 . 

Lyle teaches the invention substantially as claimed including system and method 
for protecting a computer network against denial of service attacks (see abstract). 

69. As to claim 12, Lyle and Givoly teach the method as recited in claim 1. But Lyle 
and Givoly failed to teach the claim limitation wherein receiving packets that are 
indicative of a communication failure in the network that is characteristic of a worm 
infection, and wherein filtering the communication traffic comprises deciding to filter the 
communication traffic responsively to receiving the packets. 

However, Porras teaches network surveillance (see abstract). Porras teaches 
the limitation wherein receiving packets that are indicative of a communication failure in 
the network that is characteristic of a worm infection, and wherein filtering the 
communication traffic comprises deciding to filter the communication traffic responsively 
to receiving the packets (col 9, lines 49-63). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify the combination of Lyle and Givoly in view of Porras so that the 
engine could filter out the unwanted packets. One would be motivated to do so to 
prevent the potential attack and ensure the liability of the network. 

70. As to claim 13, Lyle and Givoly teach the method as recited in claim 12. But Lyle 
and Givoly failed to teach the claim limitation wherein receiving the packets comprises 
receiving Internet Control Message Protocol (ICMP) unreachable packets. 
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However, Porras teaches the limitation wherein receiving the packets comprises 
receiving Internet Control Message Protocol (ICMP) unreachable packets (col 5, lines 4- 
29). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify the combination of Lyle and Givoly in view of Porras so that filtering 
out the ICMP packets, which reach the gateway. One would be motivated to do so to 
ensure the ill-formed packet will not travel into the network. 

71. As to claim 46, Lyle and Givoly teach the apparatus as recited in claim 35. But 
Lyle and Givoly failed to teach the claim limitation wherein the guard device is adapted 
to receive packets that are indicative of a communication failure in the network that is 
characteristic of a worm infection, and to decide to filter the communication traffic 
responsively to receiving the packets. 

However, Porras teaches the limitation wherein the guard device is adapted to 
receive packets that are indicative of a communication failure in the network that is 
characteristic of a worm infection, and to decide to filter the communication traffic 
responsively to receiving the packets (col 9, lines 49-63). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify the combination of Lyle and Givoly in view of Porras so that the 
engine could filter out the unwanted packets. One would be motivated to do so to 
prevent the potential attack and ensure the liability of the network. 
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72. As to claim 47, Lyle and Givoly teach the apparatus as recited in claim 46. But 
Lyle and Givoly failed to teach the claim limitation wherein the packets comprise 
Internet Control Message Protocol (ICMP) unreachable packets. 

However, Porras teaches the limitation wherein the packets comprise Internet 
Control Message Protocol (ICMP) unreachable packets (col 5, lines 4-29). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify the combination of Lyle and Givoly in view of Porras so that filtering 
out the ICMP packets, which reach the gateway. One would be motivated to do so to 
ensure the ill-formed packet will not travel into the network. 

73. As to claim 80, Lyle and Givoly teach the product as recited in claim 69. But Lyle 
and Givoly failed to teach the claim limitation wherein the instructions cause the 
computer to receive packets that are indicative of a communication failure in the 
network that is characteristic of a worm infection, and to decide to filter the 
communication traffic responsively to receiving the packets. 

However, Porras teaches the limitation wherein the instructions cause the 
computer to receive packets that are indicative of a communication failure in the 
network that is characteristic of a worm infection, and to decide to filter the 
communication traffic responsively to receiving the packets (col 9, lines 49-63). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify the combination of Lyle and Givoly in view of Porras so that the 
engine could filter out the unwanted packets. One would be motivated to do so to 
prevent the potential attack and ensure the liability of the network. 
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74. As to claim 81 , Lyle and Givoly teach the product as recited in claim 80. But Lyle 
and Givoly failed to teach the claim limitation wherein the packets comprise Internet 
Control Message Protocol (ICMP) unreachable packets. 

However, Porras teaches the limitation wherein the packets comprise Internet 
Control Message Protocol (ICMP) unreachable packets (col 5, lines 4-29). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify the combination of Lyle and Givoly in view of Porras so that filtering 
out the ICMP packets, which reach the gateway. One would be motivated to do so to 
ensure the ill-formed packet will not travel into the network. 



75. Claims 14-20, 23-24, 48-54, 57-58, 82-88, and 91-92 are rejected under 35 
U.S.C. 103(a) as being unpatentable over Lyle, Patent No. 6,886,102 B1 in view of 
Givoly, Patent No. 7,099,940 B2, and further in view of Trcka, Patent No. 2001/0039579 
A1. 

Lyle teaches the invention substantially as claimed including system and method 
for protecting a computer network against denial of service attack (see abstract). 

76. As to claim 14, Lyle and Givoly teach the method as recited in claim 1 . But Lyle 
and Givoly failed to teach the claim limitation wherein monitoring the communication 
traffic comprises making a determination that one or more packets transmitted over the 
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network are ill-formed, and wherein filtering the communication traffic comprises 
deciding to filter the communication traffic responsively to the ill-formed packets. 

However, Trcka teaches network security and surveillance system (see abstract). 
Trcka teaches the limitation wherein monitoring the communication traffic comprises 
making a determination that one or more packets transmitted over the network are ill- 
formed, and wherein filtering the communication traffic comprises deciding to filter the 
communication traffic responsively to the ill-formed packets (page 4, paragraph 41). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify the combination of Lyle and Givoly in view of Trcka so that the 
system would filter out the malicious packet. One would be motivated to do so to 
ensure the safety of the network form the virus and hacker. 

77. As to claim 15, Lyle and Givoly teach the method as recited in claim 1 . But Lyle 
and Givoly failed to teach the claim limitation wherein detecting the deviation comprises 
incrementing a count of events that are indicative of the malicious origin of the 
communication traffic, and deciding whether to filter the communication traffic 
responsively to the count. 

However, Trcka teaches the limitation wherein detecting the deviation comprises 
incrementing a count of events that are indicative of the malicious origin of the 
communication traffic, and deciding whether to filter the communication traffic 
responsively to the count (page 7, paragraph 79; page 8, paragraph 80). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify the combination of Lyle and Givoly in view of Trcka so that the 



Application/Control Number: 10/774,169 Page 33 

Art Unit: 2155 

system could enabling/disabling packet filtering. One would be motivated to do so to 
records the data-link level traffic without interfering with the normal flow of traffic. 

78. As to claim 16, Lyle and Givoly teach the method as recited in claim 15, wherein 
detecting the deviation comprises receiving data packets of potentially malicious origin, . 
each data packet having a respective source address and destination address, and 
wherein incrementing the count comprises determining an amount by which to 
increment the count responsively to a given data packet depending upon whether 
among the data packets received previously, responsively to which the count was 
incremented, at least one data packet had the same respective source address and at 
least one data packet had the same respective destination address as the given data 
packet (col 7, lines 38-49; col 19, lines 51 - col 20, lines 23; Lyle discloses that the 
method of identified the messages related to a known or suspected attack or possibility 
that an attack is taking place). 

79. As to claim 17, Lyle and Givoly teach the method as recited in claim 16, wherein 
determining the amount by which to increment the count comprises incrementing the 
count only if none of the data packets received previously, responsively to which the 
count was incremented, had at least one of the same respective source address and 
the same respective destination address as the given data packet (col 15, lines 48 - col 
16, lines 6; Lyle discloses that the method of tracking back to the point of attack at 
which the attack entered the network or sub-network). 

80. As to claim 18, Lyle and Givoly teach the method as recited in claim 1 . But Lyle 
and Givoly failed to teach the claim limitation wherein detecting the deviation comprises 
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detecting a type of the communication traffic that appears to be of the malicious origin, 
and wherein filtering the communication traffic comprises intercepting the 
communication traffic of the detected type. 

However, Trcka teaches the limitation wherein detecting the deviation comprises 
detecting a type of the communication traffic that appears to be of the malicious origin, 
and wherein filtering the communication traffic comprises intercepting the 
communication traffic of the detected type (figure 3). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify the combination of Lyle and Givoly in view of Trcka so that filtering 
the suspicious packet. One would be motivated to do so to ensure the safety of the 
network. 

81. As to claim 19, Lyle and Givoly teach the method as recited in claim 18, wherein 
detecting the type comprises determining at least one of a communication protocol and 
a port that is characteristic of the communication traffic (col 5, lines 34-44; Lyle 
discloses that the method of managing the exchange of information between network 
elements located at different physical locations via external connections such as an 
Internet connection). 

82. As to claim 20, Lyle and Givoly teach the method as recited in claim 18, wherein 
detecting the type comprises determining one or more source addresses of the 
communication traffic that appears to be of the malicious origin, and intercepting the 
communication traffic sent from the one or more source addresses (col 16, lines 44-49; 



Application/Control Number: 10/774,169 Page 35 

Art Unit: 2155 

Lyle discloses that the method of tracking the source of an attack to determine the point 
of attack at which it is entering the network or sub-network). 

83. As to claim 23, Lyle and Givoly teach the method as recited in claim 1 . But Lyle 
and Givoly failed to teach the claim limitation wherein monitoring and filtering the 
communication traffic comprise monitoring and filtering the communication traffic that is 
transmitted into a protected area of the network containing the group of the addresses 
so as to exclude the communication traffic from the area. 

However, Trcka teaches the limitation wherein monitoring and filtering the 
communication traffic comprise monitoring and filtering the communication traffic that is 
transmitted into a protected area of the network containing the group of the addresses 
so as to exclude the communication traffic from the area (figure 5). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify the combination of Lyle and Givoly in view of Trcka so that filtering 
the suspicious packet, which tries to enter through the protected area. One would be 
motivated to do so to improve the network security. 

84. As to claim 24, Lyle and Givoly teach the method as recited in claim 23, and 
comprising monitoring the communication traffic that is transmitted by computers in the 
protected area so as to detect an infection of one or more of the computers by a 
malicious program (col 10, lines 35-38; Lyle discloses that the method of tracking the 
system interconnect across the network, such as a private network which is a protected 
area). 
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85. As to claim 48, Lyle and Givoly teach the apparatus as recited in claim 35. But 
Lyle and Givoly failed to teach the claim limitation wherein the guard device is adapted 
to make a determination that one or more packets transmitted over the network are ill- 
formed, and to decide to filter the communication traffic responsively to the ill-formed 
packets. 

However, Trcka teaches the limitation wherein the guard device is adapted to 
make a determination that one or more packets transmitted over the network are ill- 
formed, and to decide to filter the communication traffic responsively to the ill-formed 
packets (page 4, paragraph 41). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify the combination of Lyle and Givoly in view of Trcka so that the 
system would filter out the malicious packet. One would be motivated to do so to 
ensure the safety of the network form the virus and hacker. 

86. As to claim 49, Lyle and Givoly teach the apparatus as recited in claim 35. But 
Lyle and Givoly failed to teach the claim limitation wherein the guard device is adapted 
to increment a count of events that are indicative of the malicious origin of the 
communication traffic, and to decide whether to filter the communication traffic 
responsively to the count. 

However, Trcka teaches the limitation wherein the guard device is adapted to 
increment a count of events that are indicative of the malicious origin of the 
communication traffic, and to decide whether to filter the communication traffic 
responsively to the count (page 7, paragraph 79; page 8, paragraph 80). 
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It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify the combination of Lyle and Givoly in view of Trcka so that the 
system could enabling/disabling packet filtering. One would be motivated to do so to 
records the data-link level traffic without interfering with the normal flow of traffic. 

87. As to claim 50, Lyle and Givoly teach the apparatus as recited in claim 49, 
wherein the guard device is coupled to receive data packets of potentially malicious 
origin, each data packet having a respective source address and destination address, 
and is adapted to determine an amount by which to increment the count responsively to 
a given data packet depending upon whether among the data packets received 
previously, responsively to which the count was incremented, at least one data packet 
had the same respective source address and at least one data packet had the same 
respective destination address as the given data packet (col 7, lines 38-49; col 19, lines 
51 - col 20, lines 23; Lyle discloses that the apparatus of identified the messages 
related to a known or suspected attack or possibility that an attack is taking place). 

88. As to claim 51, Lyle and Givoly teach the apparatus as recited in claim 40, 
wherein the guard device is adapted to increment the count only if none of the data 
packets received previously, responsively to which the count was incremented, had at 
least one of the same respective source address and the same respective destination 
address as the given data packet (col 15, lines 48 - col 16, lines 6; Lyle discloses that 
the apparatus of tracking back to the point of attack at which the attack entered the 
network or sub-network). 
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89. As to claim 52, Lyle and Givoly teach the apparatus as recited in claim 35. But 
Lyle and Givoly failed to teach the claim limitation wherein the guard device is adapted 
to detect a type of the communication traffic that appears to be of the malicious origin, 
and to filter the communication traffic by intercepting the communication traffic of the 
detected type. 

However, Trcka teaches the limitation wherein the guard device is adapted to 
detect a type of the communication traffic that appears to be of the malicious origin, and 
to filter the communication traffic by intercepting the communication traffic of the 
detected type (figure 3). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify the combination of Lyle and Givoly in view of Trcka so that filtering 
the suspicious packet. One would be motivated to do so to ensure the safety of the 
network. 

90. As to claim 53, Lyle and Givoly teach the apparatus as recited in claim 52, 
wherein the type of the communication traffic that appears to be of the malicious origin 
is characterized by at least one of a communication protocol and a port (col 5, lines 34- 
44; Lyle discloses that the apparatus of managing the exchange of information between 
network elements located at different physical locations via external connections such 
as an Internet connection). 

91 . As to claim 54, Lyle and Givoly teach the apparatus as recited in claim 52, 
wherein the guard device is adapted to determine one or more source addresses of the 
communication traffic that appears to be of the malicious origin, and to intercept the 



Application/Control Number: 10/774,169 Page 39 

Art Unit: 2155 

communication traffic sent from the one or more source addresses (col 16, lines 44-49; 
Lyle discloses that the apparatus of tracking the source of an attack to determine the 
point of attack at which it is entering the network or sub-network). 

92. As to claim 57, Lyle and Givoly teach the apparatus as recited in claim 35. But 
Lyle and Givoly failed to teach the claim limitation wherein the guard device is adapted 
to monitor and filter the communication traffic that is transmitted into a protected area of 
the network containing the group of the addresses so as to exclude the communication 
traffic from the area. 

However, Trcka teaches the limitation wherein the guard device is adapted to 
monitor and filter the communication traffic that is transmitted into a protected area of 
the network containing the group of the addresses so as to exclude the communication 
traffic from the area (figure 5). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify the combination of Lyle and Givoly in view of Trcka so that filtering 
the suspicious packet, which tries to enter through the protected area. One would be 
motivated to do so to improve the network security. 

93. As to claim 58, Lyle and Givoly teach the apparatus as recited in claim 57, 
wherein the guard device is adapted to monitor the communication traffic that is 
transmitted by computers in the protected area so as to detect an infection of one or 
more of the computers by a malicious program (col 10, lines 35-38; Lyle discloses that 
the apparatus of tracking the system interconnect across the network, such as a private 
network which is a protected area). 
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94. As to claim 82, Lyle and Givoly teach the product as recited in claim 69. But Lyle 
and Givoly failed to teach the claim limitation wherein the instructions cause the 
computer to make a determination that one or more packets transmitted over the 
network are ill-formed, and to decide to filter the communication traffic responsively to 
the ill-formed packets. 

However, Trcka teaches the limitation wherein the instructions cause the 
computer to make a determination that one or more packets transmitted over the 
network are ill-formed, and to decide to filter the communication traffic responsively to 
the ill-formed packets (page 4, paragraph 41). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify the combination of Lyle and Givoly in view of Trcka so that the 
system would filter out the malicious packet. One would be motivated to do so to 
ensure the safety of the network form the virus and hacker. 

95. As to claim 83, Lyle and Givoly teach the product as recited in claim 69. But Lyle 
and Givoly failed to teach the claim limitation wherein the instructions cause the 
computer to increment a count of events that are indicative of the malicious origin of the 
communication traffic, and to decide whether to filter the communication traffic 
responsively to the count. 

However, Trcka teaches the limitation wherein the instructions cause the 
computer to increment a count of events that are indicative of the malicious origin of the 
communication traffic, and to decide whether to filter the communication traffic 
responsively to the count (page 7, paragraph 79; page 8, paragraph 80). 
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It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify the combination of Lyle and Givoly in view of Trcka so that the 
system could enabling/disabling packet filtering. One would be motivated to do so to 
records the data-link level traffic without interfering with the normal flow of traffic. 

96. As to claim 84, Lyle and Givoly teach the product as recited in claim 83, wherein 
when the computer is coupled to receive data packets of potentially malicious origin, 
each data packet having a respective source address and destination address, the 
instructions cause the computer to determine an amount by which to increment the 
count responsively to a given data packet depending upon whether among the data 
packets received previously, responsively to which the count was incremented, at least 
one data packet had the same respective source address and at least one data packet 
had the same respective destination address as the given data packet (col 7, lines 38- 
49; col 19, lines 51 - col 20, lines 23; Lyle discloses that the product of identified the 
messages related to a known or suspected attack or possibility that an attack is taking 
place). 

97. As to claim 85, Lyle and Givoly teach the product as recited in claim 84, wherein 
the instructions cause the computer to increment the count only if none of the data 
packets received previously, responsively to which the count was incremented, had at 
least one of the same respective source address and the same respective destination 
address as the given data packet (col 15, lines 48 - col 16, lines 6; Lyle discloses that 
the product of tracking back to the point of attack at which the attack entered the 
network or sub-network). 
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98. As to claim 86, Lyle and Givoly teach the product as recited in claim 69. But Lyle 
and Givoly failed to teach the claim limitation wherein the instructions cause the 
computer to detect a type of the communication traffic that appears to be of the 
malicious origin, and to filter the communication traffic by intercepting the 
communication traffic of the detected type. 

However, Trcka teaches the limitation wherein the instructions cause the 
computer to detect a type of the communication traffic that appears to be of the 
malicious origin, and to filter the communication traffic by intercepting the 
communication traffic of the detected type (figure 3). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify the combination of Lyle and Givoly in view of Trcka so that filtering 
the suspicious packet. One would be motivated to do so to ensure the safety of the 
network. 

99. As to claim 87, Lyle and Givoly teach the product as recited in claim 86, wherein 
the type of the communication traffic that appears to be of the malicious origin is 
characterized by at least one of a communication protocol and a port (col 5, lines 34-44; 
Lyle discloses that the product of managing the exchange of information between 
network elements located at different physical locations via external connections such 
as an Internet connection). 

100. As to claim 88, Lyle and Givoly teach the product as recited in claim 86, wherein 
the instructions cause the computer to determine one or more source addresses of the 
communication traffic that appears to be of the malicious origin, and to intercept the 
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communication traffic sent from the one or more source addresses (col 16, lines 44-49; 
Lyle discloses that the product of tracking the source of an attack to determine the point 
of attack at which it is entering the network or sub-network). 

101. As to claim 91 , Lyle and Givoly teach the product as recited in claim 69. But Lyle 
and Givoly failed to teach the claim limitation wherein the instructions cause the 
computer to monitor and filter the communication traffic that is transmitted into a 
protected area of the network containing the group of the addresses so as to exclude 
the communication traffic from the area. 

However, Trcka teaches the limitation wherein the instructions cause the 
computer to monitor and filter the communication traffic that is transmitted into a 
protected area of the network containing the group of the addresses so as to exclude 
the communication traffic from the area (figure 5). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify the combination of Lyle and Givoly in view of Trcka so that filtering 
the suspicious packet, which tries to enter through the protected area. One would be 
motivated to do so to improve the network security. 

102. As to claim 92, Lyle and Givoly teach the product as recited in claim 91, wherein 
the instructions cause the computer to monitor the communication traffic that is 
transmitted by computers in the protected area so as to detect an infection of one or 
more of the computers by a malicious program (col 10, lines 35-38; Lyle discloses that 
the product of tracking the system interconnect across the network, such as a private 
network which is a protected area). 
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103. Claims 104, 106 & 108 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Lyle, Patent No. 6,886,102 B1 in view of Givoly, Patent No. 
7,099,940 B2, and further in view of Bartleson, Patent No. 6,934,857 B1. 

Lyle teaches the invention substantially as claimed including system and method 
for protecting a computer network against denial of service attacks (see abstract). 

104. As to claim 104, Lyle and Givoly teach the method as recited in claim 1. But Lyle 
failed to teach the claim limitation wherein identifying the subset comprises selecting 
trap addresses that are not used by actual computers for inclusion in the subset. 

However, Bartleson teaches security system and method for handheld 
computers (see abstract). Bartleson teaches the limitation wherein identifying the 
subset comprises selecting trap addresses that are not used by actual computers for 
inclusion in the subset (col 6, lines 44 - col 7, lines 24). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify the combination of Lyle and Givoly in view of Bartleson so that the 
patch are loaded in the operating system when the security system is enabled. One 
would be motivated to do so to created the trap address from the original address to 
replace with the new patch to transferred the information to the trap address once the 
virus or malicious packets got detected. 

105. As to claim 106, Lyle and Givoly teach the apparatus as recited in claim 35. But 
Lyle failed to teach the claim limitation wherein the subset includes trap addresses that 
are not used by actual computers. 
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However, Bartleson teaches the limitation wherein the subset includes trap 
addresses that are not used by actual computers (col 6, lines 44 - col 7, lines 24). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify the combination of Lyle and Givoly in view of Bartleson so that the 
patch are loaded in the operating system when the security system is enabled. One 
would be motivated to do so to created the trap address from the original address to 
replace with the new patch to transferred the information to the trap address once the 
virus or malicious packets got detected. 

.106. As to claim 108, Lyle and Givoly teach the product as recited in claim 69. But 
Lyle failed to teach the claim limitation wherein the subset includes trap addresses that 
are not used by actual computers. 

However, Bartleson teaches the limitation wherein the subset includes trap 
addresses that are not used by actual computers (col 6, lines 44 - col 7, lines 24). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify the combination of Lyle and Givoly in view of Bartleson so that the 
patch are loaded in the operating system when the security system is enabled. One 
would be motivated to do so to created the trap address from the original address to 
replace with the new patch to transferred the information to the trap address once the 
virus or malicious packets got detected. 
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Contact Information 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Thuong (Tina) Nguyen whose telephone number is 571- 
272-3864, and the fax number is 571-273-3864. The examiner can normally be 
reached on 8:00 AM-5:00 PM. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Saleh Najjar can be reached on 571-272-4006. The fax phone number for 
the organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). 
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